Your Cloud Was Breached. Now What?

Network Computing Dark Reading

Advertise

About Us

Newest First | Oldest First | Threaded View

[close this box]

50%

Bill Kleyman,
User Rank: Apprentice
3/14/2014 | 11:16:26 AM

Re: Leave the intruder alone for a little while longer?

@Charlie - I was just waiting for someone to give me a solid use-case. The advanced nature of today's modern infrastructure allows us to do great things with technology. Virtualization, cloud, and a distributed platform optimizes data flow and application delivery.

However, all of this presents new types of targets. So, we have a few scenarios here...

There are a number of different types of cloud-based attacks that can and do happen. These include port attacks, DDoS, application-specific threats, database attacks and much more.

So the answer really depends on the attack and who it's against. Let's look at this example - According to a recent Arbor Networks report, DDoS attacks originally targeted Spamhaus on 16th March, 2013. Spamhaus engaged the services of CloudFlare (http://blog.cloudflare.com/) who were able to mitigate the initial attacks successfully. The attacks then escalated between 19th and 21st March exhausting the capabilities of CloudFlare. The report goes on to say that the attacks also moved on to target next-hop addresses at IX's around the world (AMS-IX, DEC-IC, HK-IX, Equinix and LINX) causing congestion and a perceived Internet slow down in some geographies. ISPs around the world have worked to deploy filters to mitigate the impact of the attacks.

In this case, it was a scramble to halt this type of congestion and attack.

In other cases, very specific attacks may target a service or an application. During this attack a malicious piece of software or user continue to run and operate on the system. In these cases you still need to isolate the application or data point to identify and quantify the ramifications of the attack. If it's a VM, snapshotting it will allow you to see present-state metrics around the attack. Of course, governance and compliance play a big role as well.

Basically, there will be cases where a security professional will want to regain control, monitor, and remediate a potential attack.

Reply | Post Message | Messages List | Start a Board

50%

Bill Kleyman,
User Rank: Apprentice
3/14/2014 | 10:56:51 AM

Re: Thanks for great post.

I second that :) Much appreciated!

Reply | Post Message | Messages List | Start a Board

50%

Charlie Babcock,
User Rank: Ninja
3/13/2014 | 12:34:24 PM

Leave the intruder alone for a little while longer?

Bill, your description of needing to be prepared to preserve the server and storage as is for forensic analysis is extremely interesting. Nice job of that. But tell me, doesn't that assume the damage caused by the breach is a fait accompli and over? What if an intruder or active malware is still at work? Do you have to allow it to continue as you go about snapshotting and recording? That would be hard to do.

Reply | Post Message | Messages List | Start a Board

50%

Marilyn Cohodas,
User Rank: Strategist
3/13/2014 | 11:21:43 AM

Re: Thanks for great post.

thanks for the complement for Bill, Eddiemayan. What did you like about the post? Tell us what you learned, or what you will do differently after reading it.

Reply | Post Message | Messages List | Start a Board

50%

Eddie Mayan,
User Rank: Apprentice
3/13/2014 | 8:03:26 AM

Thanks for great post.

Reply | Post Message | Messages List | Start a Board

Hot Topics

Editors' Choice

COVID-19: Latest Security News & Commentary

Dark Reading Staff 6/3/2020

Data Loss Spikes Under COVID-19 Lockdowns

Seth Rosenblatt, Contributing Writer, 5/28/2020

Abandoned Apps May Pose Security Risk to Mobile Devices

Robert Lemos, Contributing Writer, 5/29/2020

Webinars

The Threat From the Internet - and What Your Organization Can Do About It

Enabling a Smooth DX Transformation in the Post-Pandemic New Tomorrow

Don't Miss this Dark Reading Virtual Event on Critical Data Breaches

Webinar Archives

White Papers

Securing IT & OT in Industrial Environments

Ransomware Response Report: Trends & Outlook

How Cybersecurity Incident Response Programs Work (and Why Some Don't)

Considerations for Intelligent Power Management within High-Density Deployments

10 Things to Consider Before Buying a Mobile Device Management Solution

More White Papers

Video

All Videos

Cartoon Contest

Write a Caption, Win a Starbucks Card! Click Here

Latest Comment: This comment is waiting for review by our moderators.

Cartoon Archive

Current Issue

How Cybersecurity Incident Response Programs Work (and Why Some Don't)

This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.

Download This Issue!

Back Issues | Must Reads

Flash Poll

All Polls

Reports

State of Endpoint Security: How Enterprises Are Managing Endpoint Security Threats

Download this report to find out what organizations are doing to secure their endpoints and to protect themselves against malware, hackers, and social engineering attacks.

Download Now!

State of Cybersecurity Incident Response

0 comments

How Enterprises Are Developing and Maintaining Secure Applications

0 comments

How Enterprises are Attacking the Cybersecurity Problem

0 comments

More Reports

Twitter Feed

Tweets about "from:DarkReading OR @DarkReading"

Bug Report

Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database

CVE-2020-13777
PUBLISHED: 2020-06-04

GnuTLS 3.6.x before 3.6.14 uses incorrect cryptography for encrypting a session ticket (a loss of confidentiality in TLS 1.2, and an authentication bypass in TLS 1.3). The earliest affected version is 3.6.4 (2018-09-24) because of an error in a 2018-09-18 commit. Until the first key rotation, the TL...

CVE-2020-10548
PUBLISHED: 2020-06-04

rConfig 3.9.4 and previous versions has unauthenticated devices.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.

CVE-2020-10549
PUBLISHED: 2020-06-04

rConfig 3.9.4 and previous versions has unauthenticated snippets.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.

CVE-2020-10546
PUBLISHED: 2020-06-04

rConfig 3.9.4 and previous versions has unauthenticated compliancepolicies.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.

CVE-2020-10547
PUBLISHED: 2020-06-04

rConfig 3.9.4 and previous versions has unauthenticated compliancepolicyelements.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.

To save this item to your list of favorite Dark Reading content so you can find it later in your Profile page, click the "Save It" button next to the item.

If you found this interesting or useful, please use the links to the services below to share it with other readers. You will need a free account with each service to share an item via that service.
Tweet This
[close this box]